lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY18-F163E086176F099E97AF60879A0@phx.gbl>
Date: Tue, 28 Dec 2004 11:20:05 +0000
From: "ShredderSub7 SecExpert" <shreddersub7@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Remote code execution with parameters withoutu ser interaction, even with XP SP2


PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
Discussion: http://www.freewebs.com/shreddersub7/expl-discuss.htm

------------------Which systems are vulnerable?--------
Any system running any Microsoft Windows XP edition with Internet Explorer 6 
or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet 
Explorer 6 or higher.

------------------How does this exploit work?-----------
The problem with Internet Explorer is that it doesn't set any restrictions 
on web pages that request opening a Windows Help file, compiled with HTML 
Help.

Without a restriction, we can (in Internet Explorer) easily command to open 
any local web page stored on a victim's computer, including web pages that 
are

founded in Windows Help files (with extension .CHM). In this PoC (Proof of 
Concept, see below for viewing the PoC), the web page

"alt_url_enterprise_specific.htm" (that is founded in the Windows Help file 
"ntshared.chm") will be opened in the HTML Help program "hh.exe".
Since we now opened a web page stored in a Windows Help file (.CHM), it is 
possible (thanks to the exploit) to execute a HTML Help control (in this 
case, an

ActiveX control) that only fully works in Help files. So in this PoC, we 
choosed to launch an ActiveX control for HTML Help. Then, this ActiveX 
control will execute

any program we want, in this example that's "cmd.exe".

Thanks to the exploit, it is even possible to add parameters to the executed 
program (here: cmd.exe), so that you can easily start malware out of 
"cmd.exe". In

this PoC, we added the parameter "/c pause" to the execution code "cmd.exe", 
and the result is a DOS Prompt with the text "Press any key to continue. . 
.".

To make it complete, the 2 needed programs (Internet Explorer and HTML Help) 
will be automatically shutted down after the execution is finished. In this 
PoC,

HTML Help and Internet Explorer will be automatically closed after the 
execution, without user interaction.

PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
Reproduce PoC and discussion: 
http://www.freewebs.com/shreddersub7/expl-discuss.htm

--------------How to avoid this exploit...-------------
Since there are no patches from Microsoft available yet, here are some 
(temporary?) solutions:  Disable Internet Explorer
or disable Active Scripting (HOW?).
OR Use another browser,for example Mozilla FireFox.

More info (like credits, things that are included etc.) about this exploit 
can be found at http://www.freewebs.com/shreddersub7/expl-discuss.htm

Contact: ShredderSub7_at_hotmail.com

_________________________________________________________________
Maak gratis je eigen blog op MSN Spaces http://spaces.msn.com/?mkt=nl-be



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ